‘I love you’: How a badly-coded computer virus caused billions in damage and exposed problems which remain 20 years on

Skinny, with a mop of black hair falling to his eyebrows, he appeared to barely register the journalists’ shouted questions, his solely motion the occasional dabbing of sweat from his face with a white towel. Seated to his proper, de Guzman’s lawyer Rolando Quimbo needed to lean in shut to listen to the 23-year-old’s mumbled response, which he then repeated in English for the ready press.

“He’s not actually conscious that the acts imputed to him had been certainly completed by him,” the lawyer stated. “So in the event you ask me whether or not or not he was conscious of the results I’d say that he’s not conscious.”

Twenty years on, the ILOVEYOU virus stays one of many farthest reaching ever. Tens of thousands and thousands of computer systems world wide had been affected. The combat to include the malware and monitor down its writer was entrance web page information globally, waking up a largely complacent public to the risks posed by malicious cyber actors. It additionally uncovered vulnerabilities which we’re nonetheless coping with to today, regardless of twenty years of advances in laptop safety and know-how.

This account of the virus relies on interviews with legislation enforcement and investigators concerned within the unique case, contemporaneous CNN reporting and stories by the FBI, Philippines police and the Pentagon.

A number of makes an attempt to succeed in Onel de Guzman for this text, together with by way of his household and former lawyer, had been unsuccessful. De Guzman had not commented publicly since round 2000, till this week when author Geoff White tracked him all the way down to the cellphone restore store he now runs in Manila, the place he admitted to authoring the virus.

Lovestruck

On the afternoon of Could 4, 2000, Michael Gazeley was in his workplace at Star Laptop Metropolis, a warren of IT corporations and retailers promoting electronics and devices overlooking Hong Kong’s Victoria Harbor.

A number of months earlier, Gazeley and his longtime enterprise accomplice, Mark Webb-Johnson, based their very own info safety agency, Community Field, which specialised in defending clients from on-line threats. Each males had many years of expertise within the trade, and had simply completed the grueling (although often profitable) work of making ready for the brand new millennium by staving off the Y2K bug that threatened to trigger widespread injury to programs worldwide.

Although largely remembered at the moment, a lot to the chagrin of these concerned, as an overreaction — or worse, a hoax — the Y2K bug was real, and the potential prices huge. They were avoided because of the diligent efforts of programmers world wide working collectively. It was an indication of the brand new connectivity that the web, nonetheless in its relative infancy, was fostering.

That connectivity reduce each methods, nevertheless, as Gazeley was reminded of that afternoon.

All of the telephones in his workplace began ringing without delay. First had been his purchasers, then got here non-customers, all calling frantically within the hope that Community Field may assist cease a virus that was screaming by way of their programs, destroying and corrupting information because it went.

All of them instructed the identical story: Somebody within the workplace had obtained an e mail with the topic “ILOVEYOU” and the message, “kindly examine the connected LOVELETTER coming from me.” After they opened what seemed to be a textual content file — really an executable program masquerading as one — the virus shortly took management, sending copies of itself to everybody of their e mail tackle e book. These recipients, pondering the e-mail was both some bizarre joke or a severe declaration of affection, opened the attachment in flip, spreading it even additional.

A screenshot showing a copy of the ILOVEYOU virus email which spread around the world in May 2000.

Workplace e mail servers had been quickly clogged as 1000’s of affection letters went forwards and backwards, disseminating the virus to extra individuals. It turned out to be a lot worse than only a self-propelling chain letter. Concurrently it was replicating itself, the ILOVEYOU virus destroyed a lot of the sufferer’s exhausting drive, renaming and deleting 1000’s of information.

Lots of the more and more panicked callers Gazeley was fielding inquiries from didn’t have backups, and he had the awkward job of explaining to them that a lot of their information — every part from spreadsheets and monetary data to photographs and mp3s — had been possible misplaced for good.

“This wasn’t one thing that individuals had been used to as an idea, they did not notice that e mail might be so harmful,” stated Gazeley, recounting the primary calls.

The complete idea of the web was nonetheless comparatively new in 2000. In keeping with statistics from the Worldwide Telecommunications Union (ITU), a United Nations physique, simply 28% of Hong Kongers had entry to the web at the moment, together with 27% of the United Kingdom, and 15% of France. Even in america, the place the know-how was invented, just some 43% of Individuals had been getting on-line.

Two years earlier, Hollywood star Meg Ryan requested “is it infidelity in the event you’re concerned with any individual on e mail?” because the film “You have Obtained Mail” launched individuals to the thought of cyber-romance — and that e mail might be used for one thing apart from boring workplace work.

Network Box co-founder Michael Gazeley was among the first cybersecurity experts to have to tackle the ILOVEYOU virus.

Laptop chaos

From Hong Kong, the place the virus crippled the communications and ravaged file programs of funding banks, public relations companies and the Dow Jones newswire, the love bug unfold westward because the Could Four workday began.

Graham Cluley was on stage at a safety convention in Stockholm, Sweden, when the virus hit Europe. He had simply completed describing an unrelated virus which focused a now-defunct working system, hijacking customers’ accounts to broadcast messages to their coworkers, together with “Friday I am in LOVE.” This, Cluley cracked, was prone to trigger extreme embarrassment for most individuals, however may doubtlessly result in some workplace romance.

Harmful viruses timeline

Michelangelo virus predicted to take down thousands and thousands of machines, however ultimately solely a handful are affected.
Melissa, an e mail worm named after a Florida topless dancer, spreads to 1000’s of computer systems worldwide.
ILOVEYOU virus clogs up e mail servers and causes billions of {dollars} in damages worldwide

Anna Kournikova worm makes use of promise of photographs of the tennis star to inflict repeat of ILOVEYOU chaos.
Stuxnet virus begins concentrating on Iranian nuclear amenities in instance of what some later describe as “first cyberwar weapon”.
Conficker virus creates “botnet” of thousands and thousands of contaminated machines however in the end is rarely used.
Duqu virus found and stated to be associated to Stuxnet, sparking renewed fears of a possible cyber arms race.
Hackers use CryptoLocker virus to grab computer systems and drive individuals to pay to revive entry in new “ransomware” assault.
Denial of service assault launched by way of Mirai botnet — which makes use of contaminated internet-of-things gadgets — knocks dozens of main websites offline.
WannaCry ransomware assault strikes companies and public establishments world wide.

Supply: US Military

Because the convention broke for espresso, attendees’ cellphones and pagers started going off wildly. A number of friends approached Cluley, asking if the virus he’d described was unfold by way of e mail. He assured them it wasn’t — and, anyway, it was restricted to a distinct segment system that most individuals did not use.

“They stated, Nicely, that is bizarre as a result of we’re all of the sudden getting a great deal of emails with the topic line ‘I like you,'” Cluley stated in an interview from his residence in the UK.

When Cluley turned on his personal cellphone, he was bombarded with notifications of missed calls, voice mails and textual content messages. Again residence, Cluley’s employer, the anti-virus agency Sophos, had been getting “completely hammered” with cellphone calls from purchasers begging for assist and journalists making an attempt to know what the hell was occurring.

Cluley raced to the airport to catch a flight to London, and even traded cellphone batteries with a beneficiant taxi driver because the fixed stream of messages drained his Nokia cellphone of energy. When he landed in the UK, a automotive was ready to whisk him to a TV studio to debate what had by now grow to be one of many largest tech tales on the planet.

In 5 hours, ILOVEYOU unfold throughout Asia, Europe and North America, some 15 occasions quicker than the Melissa virus did when it struck a yr earlier than, infecting over 1 million computer systems.

Quickly after beginning enterprise on Could 4, the UK’s House of Commons needed to take its overloaded e mail servers offline, as did the Ford Motor Company and even Microsoft, whose Outlook software program was the first technique of spreading the virus.

On the time, Home windows controlled greater than 95% of the non-public laptop market, and Outlook got here bundled with Microsoft Workplace, then all-but-required for doing enterprise on a pc. For most individuals, Outlook was e mail.

Not like at the moment, when many e mail companies are run by way of centralized servers — suppose Outlook.com or Gmail — corporations in 2000 had been operating e mail off the identical servers on which they hosted their web site. This might be janky, gradual and startling insecure.

Again then, Cluley stated, “many corporations did not have in place filters their e mail gateways to try to cease spam, not to mention viruses.”

Although america had advance warning, the virus unfold simply as shortly there — as nearly everybody appeared apparently unable to withstand opening the “love letter.” Within the Pentagon, there was consternation because the virus hit america Military Forces Command (FORSCOM) mailing record, with 50,000 subscribers.

From there, nearly each main navy base within the nation — barring a handful that did not use Outlook — watched as their e mail companies had been crippled and compelled offline for hours as the issue was fastened.

Looking for the perpetrator

Throughout the Potomac River, on the FBI’s Washington, DC, headquarters, Michael Vatis was scrambling to get a deal with on the disaster.

As director of the Nationwide Infrastructure Safety Heart (NIPC), a comparatively new intergovernmental company tasked with tackling cyber threats, Vatis was awoken early Could Four with information of the ILOVEYOU virus hitting america. The NIPC quickly despatched out an alert warning of a “new, in-the-wild worm virus recognized as LoveLetter or LoveBug [that] is being propagated globally by way of e-mail,” but it surely got here too late to forestall a lot of the US authorities and navy, in addition to dozens of personal corporations, from being affected.

As anti-virus corporations slowly started rolling out patches, stemming the injury and enabling corporations to come back again on-line, consideration inside the FBI turned to monitoring down these accountable. The investigation was led by the New York subject workplace, which quickly discovered proof pointing again east, past Hong Kong, to the Philippines.

“In a really quick time frame, we ended up figuring out people within the Philippines and in search of the help of Philippine legislation enforcement,” stated Vatis, now a accomplice on the New York legislation agency Steptoe. “And a really quick time after that, the Philippine authorities in the end made an arrest.”

Each the technical repair and first break within the case got here so quick as a result of, for all its speedy dissemination world wide, the ILOVEYOU virus was clumsily coded and startlingly unsophisticated. It mashed collectively a number of current items of malware and did little to cover its workings.

“Each single sufferer of the love bug obtained a replica of the love bug’s code, the precise supply code,” stated Cluley, the Sophos analyst. “So it was easy to write down an antidote. It was no extra complicated than any of the opposite 1000’s and 1000’s of viruses we might seen that day. However in fact, this one was notably profitable at spreading itself.”

In addition to containing the blueprint for defeating it, the code additionally included some traces pointing to the id of its writer. It contained two e mail addresses — spyder@tremendous.internet.ph and mailme@tremendous.internet.ph — each of which had been based mostly within the Philippines. There was additionally a reference to GRAMMERSoft Group, which it stated was based mostly within the nation’s capital.

Whereas investigators had been cautious that these clues might be a smokescreen, the virus additionally communicated with a server hosted by the Manila-based Sky Internet, to which it despatched passwords scraped from victims’ computer systems. Sky shortly took the server offline, which stopped at the very least a part of the virus in its tracks.

With out the servers to ship info to — and it seems the virus’s writer was by no means in a position to entry what was despatched to the server, or at the very least act upon it — ILOVEYOU grew to become purely an engine of chaos and destruction. It churned by way of e mail inboxes world wide and deleted information, whereas not really serving the obvious unique goal of scraping passwords.

A suspect emerges

4 days after the virus started spreading, Philippines police searched an apartment in Manila and seized laptop magazines, telephones, disks, wires and cassette tapes. In addition they arrested one of many occupants, Reomel Ramones.

Ramones, a curly-haired 27-year-old who labored at an area financial institution, appeared like an unlikely laptop hacker, and investigators questioned if that they had arrested the unsuitable man. Consideration turned to the condo’s two different residents: Ramones’ girlfriend, Irene de Guzman, and her brother, Onel.

Onel de Guzman — who was not within the condo when it was raided, and couldn’t be discovered — was a scholar at AMA Laptop Faculty. The faculty was residence to a self-described hacking group, the now-defunct GRAMMERSoft, which specialised in serving to different college students cheat on their homework. Whereas police couldn’t show initially that de Guzman was a member, officers on the faculty shared with them a rejected remaining thesis he had written, which contained the code for a program bearing a startling resemblance to ILOVEYOU.

Within the draft thesis, de Guzman wrote that the aim of his proposed program was to “get Home windows passwords” and “steal and retrieve web accounts [from] the sufferer’s laptop.” On the time, dial-up web entry within the Philippines was paid for by the minute, in distinction to the blanket-use charges in a lot of Europe and america. De Guzman’s concept was that customers within the growing world may piggyback on the connections of these in richer international locations and “spend extra time on [the] web with out paying.”

Studying his proposal, de Guzman’s trainer was outraged, and wrote “we do not produce burglars” and “that is unlawful” within the margins. However whereas the thesis would value de Guzman his diploma, his trainer’s argument about illegality can be confirmed incorrect.

Onel de Guzman, seen here in May 2000, was quickly accused of being the author of the ILOVEYOU virus.

Authorized loophole

After a number of days out of the general public eye, de Guzman appeared on the press convention in Quezon, flanked by his lawyer and sister. Requested whether or not he may need been chargeable for the virus, he responded by way of his lawyer: “It’s doable.”

“He didn’t even know that the actions on his half would actually come to the outcomes which have been reported,” his lawyer stated. To a ripple of laughter from reporters, the lawyer added, after a mumbled session with de Guzman: “The web is meant to be instructional so it needs to be free.”

Requested what he felt concerning the injury brought on by the virus, de Guzman stated “nothing, nothing.”

Nothing would additionally turn into de Guzman’s punishment, regardless of reams of proof gathered by police within the Philippines and the settlement of the nation’s Nationwide Bureau of Investigation (NBI), the FBI and personal safety investigators, that he was the culprit.

The issue was not an absence of proof, however the lack of an applicable legislation to cost him with. The Philippines, like a variety of international locations on the flip of the millennium, had not legislated towards laptop crime. And an try and prosecute de Guzman on fraud expenses was later dropped. Whereas the Philippines did have an extradition treaty with america, it solely utilized to crimes prosecutable in each international locations. As soon as the case was dropped, there was little likelihood of sending de Guzman overseas.

Whereas Philippines lawmakers did rush by way of a legislation criminalizing laptop hacking quickly after the ILOVEYOU incident, it couldn’t be utilized retroactively.

“We had been unable to deliver to justice a wrongdoer who brought on hurt to thousands and thousands of individuals and firms world wide,” Senator Edgardo J. Angara said years later, echoing the embarrassment felt by many Philippines politicians and legislation enforcement officers.

For others within the nation, de Guzman was a hero. “Here’s a Filipino genius who has put the Philippines on the world map,” wrote one newspaper columnist. “[He] has confirmed that the Filipino has the creativity and ingenuity to show, for higher or for worse, the world the wrong way up.” It even spawned a film, “Subject: I love you,” which depicted the virus creator as a lovelorn man making an attempt to reconnect “with the one girl he had ever cherished.”

At de Guzman’s school, a fellow scholar told the New York Times, the virus had “made us proud.” One other basked within the capability of a Filipino hacker to “penetrate the Pentagon … though the Philippines is a third-world nation, though we’re behind in know-how, they had been ready to do this.”

20 years on, this response nonetheless annoys Cluley, the Sophos investigator. “It is the sort of factor that has you thumping your head towards a wall in frustration,” he stated. “This was when malware was simply starting to get a bit of nastier and a bit of extra malicious and extra financially motivated.”

“This wasn’t the message we needed to provide younger individuals, that this was all proper.”

The risk of attacks like ILOVEYOU has not gone away. So-called ransomware attacks which targeted many businesses in 2017 relied on just the same kind of social engineering as the love bug.

Lengthy legacy

There have been admirers of de Guzman’s work exterior the Philippines, too. Inside hours of ILOVEYOU spreading, remixed copycats had sprung up, with messages reminiscent of “very humorous,” “joke,” “Mom’s Day,” or, most cynically, “VIRUS ALERT!!!” Amazingly, regardless of the close to wall-to-wall media protection of the ILOVEYOU virus on the time, this didn’t cease many individuals opening suspicious attachments which bore a distinct message.

The love bug and its variants would trigger some $10 billion of injury, the FBI later estimated, earlier than updates to anti-virus software program and e mail purchasers reined them in. To today, ILOVEYOU stays one of many farthest reaching viruses, hanging thousands and thousands of machines in international locations internationally.

“It had an unlimited impact,” stated Vatis, the previous NIPC director. “It was actually worldwide entrance web page information for at the very least a number of days in a means that laptop assaults had not been prior to now.”

Whereas earlier assaults had brought on extra direct injury, and people sooner or later can be extra refined and much simpler of their aim, they had been additionally rather more restricted in scope. Different viruses have focused particular areas, companies or governments. ILOVEYOU may have an effect on nearly anybody operating Home windows Outlook.

“It hit residence in a means that different earlier assaults didn’t,” Vatis stated. “It made individuals conscious that this isn’t simply one thing that occurs to protection companies or house owners of internet sites, that is one thing that may occur to any Joe or Jane sitting at residence on the pc or within the workplace, and it could actually shut you down and actually disrupt your capability to function.”

And whereas e mail purchasers have gotten higher at filtering out malicious-seeming messages, the primary weak point that ILOVEYOU exploited stays inconceivable to repair.

“You’ll be able to replace your working programs or you possibly can have one of the best e mail filters on the planet, however you possibly can’t patch the human mind,” stated Cluley.

To today, a number of the most profitable cyber assaults — whether or not they be linked to nation-state actors, legal organizations or lone-wolf hackers — have used social engineering as their major weapon. The hackers that stole emails from the Democratic Nationwide Committee (DNC) in 2016 did so by tricking Hillary Clinton’s campaign chairman John Podesta into handing over the password to his Google account. Those that focused Google in 2003 went after the corporate’s staff over on the spot messaging. And ransomware attacks, an more and more widespread type of rip-off whereby victims’ computer systems and accounts are frozen till they pay to unlock them, nearly at all times work by getting individuals to click on a dodgy hyperlink.

Whereas some hackers use zero-day exploits, beforehand unrevealed vulnerabilities in key software program, or purpose built spying tools to go after their victims, many don’t use code rather more refined than that seen within the ILOVEYOU assault. They needn’t.

“People are at all times the weak hyperlink,” Vatis stated. “It is nearly at all times simpler to take advantage of a human by way of some social engineering gambit than it’s to crack, you understand, some technological defensive measure.”

One factor that has modified considerably since ILOVEYOU is how ready most corporations are for such an incident. Most at the very least have some sort of anti-virus safety, and again up their information. However all of the specialists who tackled ILOVEYOU twenty years in the past agreed that there stays a startling diploma of complacency over doubtlessly devastating cyber assaults.

“What’s scary is that 20 years after, there are nonetheless loads of organizations who do not take this severely till they’re hit,” stated Gazeley, the Hong Kong cybersecurity knowledgeable. “So many individuals nonetheless do not plan forward.”

What largely prevents such an assault is that almost all corporations and people outsource operating e mail servers to those that know easy methods to do it greatest — primarily Microsoft and Google — and depend on them to filter incoming messages, reduce out spam and warn of potential assaults.

Had been a worm like ILOVEYOU to discover a well past these filters, and unfold quick sufficient to forestall the businesses rolling out a patch, the potential for it doing main injury stays. There is no such thing as a cause to count on that the typical person has grown any much less complacent at the moment. With e mail suppliers doing many of the work in recognizing dodgy messages, they could really be extra so.

Vatis stated that the potential impact on on-line communications of such a worm might be “devastating,” as may the knock on the worldwide financial system as corporations go offline or lose enterprise abruptly. He in contrast the scenario to individuals who keep away from getting vaccinated for the flu yearly.

“That is not an issue for society as a complete till the vaccination fee drops under a sure proportion,” he stated. “After which you may have lots of people getting actually sick.”

— to www.cnn.com